EAL - Evaluation assurance level

Evaluation assurance level - به اختصار EAL - مجموعه ای از هفت قرار داد است تا نیازهای CC - Common Criteria - را بر آورده کند.بیشتر این استاندارد ها برای استفاده مشتریان دولتی و نظامی لازم است. هر کدم از این هفت سطح فراهم آورنده میزان اعتماد و اطمینان پذیری یک محصول است. به اختصار می توان این 7 سطح را در غالب جدول زیر بیان کرد :

EAL 0	Inadequate Assurance
EAL 1	Functionally Tested. Provides analysis of the security functions, using a functional and interface specification of the TOE, to understand the security behaviour. The analysis is supported by independent testing of the security functions.
EAL 2	Structurally Tested. Anaysis of the security functions using a functional and interface specification and the high level design of the subsystems of the TOE. Independent testing of the security functions, evidence of developer “black box” testing, and evidence of a development search for obvious vulnerabilities.
EAL 3	Methodically Tested and Checked. The analysis is supported by “grey box” testing, selective independent confirmation of the developer test results, and evidence of a developer search for obvious vulnerablitities. Development environment controls and TOE configuration management are also required.
EAL 4	Methodically Designed, Tested and Reviewed. Analysis is supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for obvious vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.
EAL 5	Semiformally Designed and Tested. Analysis includes all of the implementation. Assurance is supplemented by a formal model and a semiformal presentation of the functional specification and high level design, and a semiformal demonstration of correspondence. The search for vulnerabilities must ensure relative resistance to penetration attack. Covert channel analysis and modular design are also required.
EAL 6	Semiformally Verified Design and Tested. Analysis is supported by a modular and layered approach to design, and a structured presentation of the implementation. The independent search for vulnerabilities must ensure high resistance to penetration attack. The search for covert channels must be systematic. Development environment and configuration management controls are further strengthened.
EAL 7	Formally Verified Design and Tested. The formal model is supplemented by a formal presentation of the functional specification and high level design showing correspondence. Evidence of developer “white box” testing and complete independent confirmation of developer test results are required. Complexity of the design must be minimised.

می توانید تفصیلات کامل هر سطح را در این جا بخوانید : Evaluation assurance levels

اطلاعات بیشتری را هم در این سایت ها پیدا خواهید کرد: www.cesg.gov.uk | Common Criteria Assurance Levels | The National Information Assurance Partnership

علت این نوشته هم خبری بود که حاکی از تلاش Red Hat برای گرفتن EAL 2 برای محصول Red Hat Enterprise Linux می داد.می توانید اصل خبر را در اینجا ببینید. نکته ای که جالب به نظر می رسد این است که برخی از نسخه های ویندوز EAL4 را کسب کرده اند و کمپانی Red Hat به تازگی توانسته است با کمک از Oracle به EAL 2 دست پیدا کند.آیا این چیز ها هم با پول خریداری می شود؟ شاید هر چه قدر مبلغ بیشتری پرداخت شود سطح امنیتی بالاتری کسب شود ، به این جمله توجه کنید :

Security is not a destination; it’s a way of travelling. It’s not a product; it’s a procedure.

These icons link to social bookmarking sites where readers can share and discover new web pages.